You can use any tool available to create a self-signed certificate as long as they adhere to these settings:
• An X.509 certificate.
• Contains a private key.
• Created for key exchange (.pfx file).
• Subject name must match the domain used to access the cloud service.
You cannot acquire an SSL certificate for the cloudapp.net (or for any Azure-related) domain; the certificate's subject name must match the custom domain name used to access your application. For example, contoso.net, not contoso.cloudapp.net.
• Minimum of 2048-bit encryption.
• Service Certificate Only: Client-side certificate must reside in the Personal certificate store.
There are two easy ways to create a certificate on Windows, with the makecert.exe utility, or IIS.

Makecert.exe

This utility has been deprecated and is no longer documented here. For more information, see this MSDN article.

PowerShell

PowerShell$cert = New-SelfSignedCertificate -DnsName yourdomain.cloudapp.net -CertStoreLocation "cert:\LocalMachine\My" $password = ConvertTo-SecureString -String "your-password" -Force -AsPlainText Export-PfxCertificate -Cert $cert -FilePath ".\my-cert-file.pfx" -Password $password
Note
If you want to use the certificate with an IP address instead of a domain, use the IP address in the -DnsName parameter.
If you want to use this certificate with the management portal, export it to a .cer file:
PowerShell
Export-Certificate -Type CERT -Cert $cert -FilePath .\my-cert-file.cer

Internet Information Services (IIS)

There are many pages on the internet that cover how to do this with IIS. Here is a great one I found that I think explains it well.